According to Xiao, the Transmission app – a BitTorrent client – was infected to include this ransomware. The infected app was distributed from the official Transmission website, but with a different code signature than the normal one previously used to sign the Transmission app, implying that the app itself had been modified and re-signed by the attacker (although this has not yet been confirmed).

The modified copy of Transmission includes a file named General.rtf, which is actually an executable file rather than the rich-text document it pretends to be. When the app is launched, this file is copied to a file named kernel_service in the user Library folder (which is hidden by default on recent versions of OS X).

This kernel_service process remains running in the background, and creates additional files named .kernel_pid and .kernel_time in the user Library folder. The latter of these files contains a timestamp, which is used to identify when 3 days have passed.

After 3 days, the malware “detonates” and begins encrypting files. According to Xiao, it will encrypt everything in the /Users folder, as well as files having common document extensions found in the /Volumes folder (in other words, files that are on connected external hard drives, servers, etc). In each folder where files have been encrypted, a file named “README_FOR_DECRYPT.txt” is created, containing instructions for how to pay for a decryption key.

The fact that this malware will encrypt external drives and connected network volumes means that it could encrypt backups, including Time Machine backups stored on a Time Capsule. Worse, there is code in the app – though unused at this time, according to Xiao – in a routine called “_encrypt_timemachine”. This means that your backups, which you would want to keep intact in the event of a ransomware infection, may also fall victim to this malware.

Interestingly, there appears to be no persistence mechanism to this malware. The kernel_service process will remain running, but if you restart the computer, it does not start back up automatically. You must re-open the infected Transmission app in order to re-activate the process.

Apple has both added detection of this malware to XProtect and revoked the developer certificate used to sign the malicious copy of Transmission. This means that new infections should not be possible without an update of the malware. However, it’s important to note that if you have already run the infected copy of Transmission on your Mac, this will not prevent you from opening it again… your Mac will consider it safe at this point, since it has been successfully opened previously. That means this doesn’t help users who are already infected and who have a 3-day timer counting down.

Some people may be tempted to pay the ransom to get back their files. However, it’s important to understand that this is an extremely bad idea. In the Windows world, paying the ransom sometimes results in getting a key that can successfully unlock the files. However, it also can result in sending money to the hackers and getting nothing in return, or receiving a key that doesn’t actually work properly because the ransomware was poorly-written.

If you have downloaded the Transmission app recently, you should delete the app and restart your computer. This should prevent re-activation of the malware.

You can also detect and remove this malware with Malwarebytes Anti-Malware for Mac. Keep in mind, though, that any files that get encrypted before removal will be lost (unless they have been backed up and the backups are still intact).

Also, keep in mind that this is not the first time that Mac users have been infected following the download of a torrent client, though always in the past such infections have only been adware. Think carefully before dealing with torrents in the future.

April 30, 2012 - Malwarebytes Anti-Malware is under constant attack. 24 hours per day, 7 days per week, 365 days per year. If you read my recent blog post about the development of Malwarebytes Chameleon, you know that we at Malwarebytes have big red ‘X’s on our chests; the bad guys are always out to get us. Malwarebytes Anti-Malware...

April 24, 2012 - The fight against malware is a cat-and-mouse game. It is constant and constantly escalating. They make a move, you counter it, they counter your counter, lather, rinse, repeat. What’s more: malware almost always has the advantage. Our software Malwarebytes Anti-Malware earned a reputation for having a high success rate in combating new in-the-wild malware infections:...

May 7, 2012 - From the outside looking in, it may appear that the press regularly reports stories when a company’s website, database or intellectual property has been hacked, stolen or compromised. The more eye-opening fact of the matter is that the scale and scope of the cybercrime problem is much, much larger and the actual incidences of these...

May 14, 2012 - The recent attack on the Serious Organized Crime Agency (SOCA), most likely in response to the 36 data selling sites shut down a few weeks ago, lead to the admission by high ranking SOCA officials that the Ministry of Defense networks need to “beef up their security.” In response to this we would like to...

June 1, 2012 - The last time I checked with Google News this morning there were over 19,100,000 results for “flame malware”. You may have heard many stories this week about this complex trojan. Here are links to three of my current personal favorite articles on “Flame”. Powerful ‘Flame’ cyberweapon tied to popular Angry Birds game – (Fox News)...